A Key for John Doe: Modeling and Designing Anonymous Password-Authenticated Key Exchange Protocols

Anonymous Password-Authenticated Key Exchange (<inline-formula><tex-math notation="LaTeX">\sf{ APAKE}</tex-math> <mml:math><mml:mi mathvariant="sans-serif">APAKE</mml:mi></mml:math><inline-graphic xlink:href="gonzalezvasco-ieq1-29...

Full description

Saved in:
Bibliographic Details
Published inIEEE transactions on dependable and secure computing Vol. 18; no. 3; pp. 1336 - 1353
Main Authors Vasco, Maria Isabel Gonzalez, Pozo, Angel L. Perez del, Soriente, Claudio
Format Journal Article
LanguageEnglish
Published Washington IEEE 01.05.2021
IEEE Computer Society
Subjects
anonymity
Authentication
Clients
Encryption
group key exchange
Indexes
Password
Password authentication
Passwords
Protocols
Pseudorandom
Servers
Online AccessGet full text

Cover

More Information
Summary:Anonymous Password-Authenticated Key Exchange (<inline-formula><tex-math notation="LaTeX">\sf{ APAKE}</tex-math> <mml:math><mml:mi mathvariant="sans-serif">APAKE</mml:mi></mml:math><inline-graphic xlink:href="gonzalezvasco-ieq1-2919013.gif"/> </inline-formula>) can be seen as the hybrid offspring of standard key exchange and anonymous password authentication protocols. <inline-formula><tex-math notation="LaTeX">\sf{ APAKE}</tex-math> <mml:math><mml:mi mathvariant="sans-serif">APAKE</mml:mi></mml:math><inline-graphic xlink:href="gonzalezvasco-ieq2-2919013.gif"/> </inline-formula> allows a client holding a low-entropy password to establish a session key with a server, provided that the client's password is in the server's set. Moreover, no information about the password input by the client or the set of valid passwords held by the server should leak to the other party-beyond whether the client's password lies or not in the server's password database. To the best of our knowledge, all <inline-formula><tex-math notation="LaTeX">\sf{ APAKE}</tex-math> <mml:math><mml:mi mathvariant="sans-serif">APAKE</mml:mi></mml:math><inline-graphic xlink:href="gonzalezvasco-ieq3-2919013.gif"/> </inline-formula> proposals to date either assume client storage or force the client to remember the index assigned to its password in the server's database. Furthermore, earlier works either provide only informal definitions or fail in some sense to properly model the primitive. In this paper, we provide a formal security model for <inline-formula><tex-math notation="LaTeX">\sf{ APAKE}</tex-math> <mml:math><mml:mi mathvariant="sans-serif">APAKE</mml:mi></mml:math><inline-graphic xlink:href="gonzalezvasco-ieq4-2919013.gif"/> </inline-formula>, capturing security and anonymity provisions for both clients and servers. In addition, we present two <inline-formula><tex-math notation="LaTeX">\sf{ APAKE}</tex-math> <mml:math><mml:mi mathvariant="sans-serif">APAKE</mml:mi></mml:math><inline-graphic xlink:href="gonzalezvasco-ieq5-2919013.gif"/> </inline-formula> protocols that only require clients to remember a password and that attain our sought key secrecy and anonymity guarantees. Our first protocol leverages oblivious pseudo-random functions, while the second one builds upon a special type of identity-based encryption scheme.
ISSN:1545-5971
1941-0018
DOI:10.1109/TDSC.2019.2919013